Adding comments to BPF under configuration

[HundleBun]

Version

2.4.20

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

48

RAM

192Gb

Storage for /

100Gb

Storage for /nsm

14TB

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

We recently spun up a Standalone deployment in our infrastructure. I'm working through some of the higher influx noise right now and using BPF to cut some of it out. When adding new filters in Administration > Configuration > BPF > pcap, suricata, zeek I always encounter errors when attempting to add comments to new filters in place.

Once I removed my comments syncing had no issue applying the new BPFs. Is there a way to add comments within the GUI to keep track of why new filters were added? Adding comments, even on new lines, causes a failed sync

ex. of current filter

not (host 10.129.5.4 and dst port 161 and dst net 10.129.5.0/24) &&
not host 10.129.10.38

Also once a BPF is applied, is there a way to drop alerts already written to disk that pertain to that filter? or do I just wait for it to be overwritten?

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[HundleBun]

Edit: After adding the second filter not (host10.129.5.4 and dst port 161 and dst net 10.129.5.0/24) && I am still showing new data being written to disk that I'm attempting to filter out. In this case I want to drop all SNMP traffic originating from this server to the given netblock. Is there a different way this filter should be written to omit that traffic?

[dougburks]

Once I removed my comments syncing had no issue applying the new BPFs. Is there a way to add comments within the GUI to keep track of why new filters were added?

This should work better in the upcoming 2.4.30 release:
#11738
https://docs.securityonion.net/en/2.4/bpf.html#adding-comments

Also once a BPF is applied, is there a way to drop alerts already written to disk that pertain to that filter? or do I just wait for it to be overwritten?

You can manually acknowledge the alerts or wait for the data to be overwritten.

After adding the second filter not (host10.129.5.4 and dst port 161 and dst net 10.129.5.0/24) && I am still showing new data being written to disk that I'm attempting to filter out. In this case I want to drop all SNMP traffic originating from this server to the given netblock. Is there a different way this filter should be written to omit that traffic?

First, it looks like you're missing a space:

host10.129.5.4

should be:

host 10.129.5.4

Assuming that was just a typo here and not in your actual configuration, are you trying to apply this to Suricata, Zeek, or Steno?

Are you able to share a screenshot of the actual alerts/logs/data that you're trying to filter out?

Are you waiting 15-30 minutes to make sure the new configuration has fully applied?

Have you tried rebooting to see if that makes any difference?

[HundleBun]

Thanks for the reply Doug. I'll look to update to 2.4.30 when it releases.

I'm adding the rules to all 3 to avoid collecting any of the data we don't want in this instance. We're still piloting SO in a standalone deployment and seeing low pcap retention so we're cutting out what makes sense for now.

I ended up manually acknowledging the alerts and seeing they are gone today. I was just being too impatient it seems. Next time I'll be sure to acknowledge and then give SO ~30 min to update and apply new config after syncing.

[argwfm]

@dougburks, can these comments be inline, or do they need to be a a separate line?
Will both of the below work? Many thanks!

not port 53 #noDNS

#noDNS
not port 53

[TOoSmOotH]

They need to be on separate lines.

#nodns
not port 53

[argwfm]

@TOoSmOotH , thank you!